Identifying cyber risk factors associated with construction projects
DOI: https://doi.org/10.3846/jcem.2025.25213Abstract
As construction projects adopt increasingly interconnected digital technologies, their cyber-attack surface expands, making comprehensive cyber risk management essential to prevent incidents, mitigate risks, and minimize potential losses resulting from such attacks. However, the necessary risk factors for this purpose are lacking. Therefore, the study aims to develop a comprehensive set of project-level cyber risk factors tailored to the complexities of construction projects, identified through a systematic and flexible seven-step methodological framework: (1) a literature review of construction and cybersecurity sources to identify initial factors; (2) initial definition of risk categories; (3) internal evaluation and expert input to refine these factors; (4) distribution of a detailed expert questionnaire for rating; (5) expert evaluations through meetings and feedback sessions to enhance validity; (6) elimination of lower-scoring factors; and (7) establishment of quantitative scales for precise risk assessment. The findings include the 32 identified risk factors into five groups: project information, project structure, information technology (IT), operational technology (OT), and management and human aspects. The contributions include providing a set of risk factors that serve as cybersecurity management references and inputs for future quantitative risk assessments, offering a checklist used for proactive risk management, and introducing a framework adaptable for identifying factors of other risks.
Keywords:
construction cybersecurity, digital transformation, risk factors, risk assessment, industry-specific vulnerabilitiesHow to Cite
Share
License
Copyright (c) 2025 The Author(s). Published by Vilnius Gediminas Technical University.
This work is licensed under a Creative Commons Attribution 4.0 International License.
References
Abd El-Karim, M. S. B. A., Mosa El Nawawy, O. A., & Abdel-Alim, A. M. (2017). Identification and assessment of risk factors affecting construction projects. HBRC Journal, 13(2), 202–216. https://doi.org/10.1016/j.hbrcj.2015.05.001
Aghaei, P., Asadollahfardi, G., & Katabi, A. (2022). Safety risk assessment in shopping center construction projects using fuzzy fault tree analysis method. Quality and Quantity, 56, 46–59. https://doi.org/10.1007/s11135-021-01115-9
Assaf, S. A., & Al-Hejji, S. (2006). Causes of delay in large construction projects. International Journal of Project Management, 24(4), 349–357. https://doi.org/10.1016/j.ijproman.2005.11.010
Badi, S., & Nasaj, M. (2024). Cybersecurity effectiveness in UK construction firms: An extended McKinsey 7S model approach. Engineering, Construction and Architectural Management, 31(11), 4482–4515. https://doi.org/10.1108/ECAM-12-2022-1131
Baloi, D., & Price, A. D. F. (2003). Modelling global risk factors affecting construction cost performance. International Journal of Project Management, 21(4), 261–269. https://doi.org/10.1016/S0263-7863(02)00017-0
Bello, A., & Maurushat, A. (2020). Technical and behavioural training and awareness solutions for mitigating ransomware attacks. In R. Silhavy (Ed.), Advances in intelligent systems and computing: Vol. 1226. Applied Informatics and Cybernetics in Intelligent Systems (CSOC 2020) (pp. 164–176). Springer, Cham. https://doi.org/10.1007/978-3-030-51974-2_14
Chan, D. W. M., Chan, A. P. C., Lam, P. T. I., Yeung, J. F. Y., & Chan, J. H. L. (2011). Risk ranking and analysis in target cost contracts: empirical evidence from the construction industry. International Journal of Project Management, 29(6), 751–763. https://doi.org/10.1016/j.ijproman.2010.08.003
Chileshe, N., & Boadua Yirenkyi‐Fianko, A. (2012). An evaluation of risk factors impacting construction projects in Ghana. Journal of Engineering, Design and Technology, 10(3), 306–329. https://doi.org/10.1108/17260531211274693
Coble, S. (2020, January 27). Major Canadian military contractor compromised in ransomware attack. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/bird-construction-compromised-in/
CPX. (2024, March 11). UAE Cyber Security Council and CPX unveil Cybersecurity Report 2024: A call to action against rising cyber threats. https://www.cpx.net/media-center/press-releases/state-of-cybersecurity-in-the-uae/?utm_source=chatgpt.com
Cyware. (2018). Hackers hit French firm Ingerop stealing 65 GB data relating to nuclear power plants. https://cyware.com/news/hackers-hit-french-firm-ingerop-stealing-65-gb-data-relating-to-nuclear-power-plants-f193b9ba/
Deloitte. (2022). Building cybersecurity in the construction industry. https://www2.deloitte.com/ce/en/pages/real-estate/articles/ce-building-cybersecurity-in-the-construction-industry.html
Ebrahimnejad, S., Naeini, M. A., Gitinavard, H., & Mousavi, S. M. (2017a). Selection of IT outsourcing services’ activities considering services cost and risks by designing an interval-valued hesitant fuzzy-decision approach. Journal of Intelligent & Fuzzy Systems, 32(6), 4081–4093. https://doi.org/10.3233/JIFS-152520
Ebrahimnezhad, S., Gitinavard, H., & Sohrabvandi, S. (2017b). A new extended Analytical Hierarchy Process technique with incomplete interval-valued information for risk assessment in IT outsourcing. International Journal of Engineering, 30(5), 739–748.
El-Sayegh, S., Romdhane, L., & Manjikian, S. (2020). A critical review of 3D printing in construction: Benefits, challenges, and risks. Archives of Civil and Mechanical Engineering, 20, Article 34. https://doi.org/10.1007/s43452-020-00038-w
Galanis, P. (2018). The Delphi method. Archives of Hellenic Medicine, 35(4), 564–570.
García de Soto, B., Agustí-Juan, I., Joss, S., & Hunhevicz, J. (2022a). Implications of Construction 4.0 to the workforce and organizational structures. International Journal of Construction Management, 22(2), 205–217. https://doi.org/10.1080/15623599.2019.1616414
García de Soto, B., Turk, Ž., Maciel, A., Mantha, B., Georgescu, A., & Sonkor, M. S. (2022b). Understanding the significance of cybersecurity in the construction industry: survey findings. Journal of Construction Engineering and Management, 148(9), Article 04022095. https://doi.org/10.1061/(ASCE)CO.1943-7862.0002344
Goh, G. D., Sing, S. L., & Yeong, W. Y. (2021). A review on machine learning in 3D printing: Applications, potential, and challenges. Artificial Intelligence Review, 54(1), 63–94. https://doi.org/10.1007/s10462-020-09876-9
Gondia, A., Siam, A., El-Dakhakhni, W., & Nassar, A. H. (2020). Machine learning algorithms for construction projects delay risk prediction. Journal of Construction Engineering and Management, 146(1), Article 04019085. https://doi.org/10.1061/(ASCE)CO.1943-7862.0001736
Hamzeh, A. M., Mousavi, S. M., & Gitinavard, H. (2020). Imprecise earned duration model for time evaluation of construction projects with risk considerations. Automation in Construction, 111, Article 102993. https://doi.org/10.1016/j.autcon.2019.102993
Hwang, B. G., Shan, M., Phua, H., & Chi, S. (2017). An exploratory analysis of risks in green residential building construction projects: the case of Singapore. Sustainability, 9(7), Article 1116. https://doi.org/10.3390/su9071116
International Organization for Standardization, & International Electrotechnical Commission. (2022). Information security, cybersecurity and privacy protection – Information security management systems – Requirements (ISO/IEC Standard No. 27001:2022). https://www.iso.org/standard/27001
Jarkas, A. M., & Haupt, T. C. (2015). Major construction risk factors considered by general contractors in qatar. Journal of Engineering, Design and Technology, 13(1), 165–194. https://doi.org/10.1108/JEDT-03-2014-0012
JDSUPRA. (2023, April 19). Huntington Ingalls Industries files official notice of data breach affecting 43,643 individuals. https://www.jdsupra.com/legalnews/huntington-ingalls-industries-files-3524071/
Kalinin, M., Krundyshev, V., & Zegzhda, P. (2021). Cybersecurity risk assessment in smart city infrastructures. Machines, 9(4), Article 78. https://doi.org/10.3390/machines9040078
Korman, R. (2020). Bouygues construction unit gradually recovering after ransomware attack. Engineering News-Record (ENR). https://www.enr.com/articles/48637-bouygues-construction-unit-gradually-recovering-after-ransomware-attack
Kunert, P. (2023, October 12). US construction giant unearths concrete evidence of cyberattack. The Register. https://www.theregister.com/2023/10/12/simpson_manufacturing_security_incident/?td=readmore
Kurtz, S. (2019). Cybersecurity vulnerabilities in the construction industry. Total IT Information Technology. https://totalit.com/cybersecurity-vulnerabilities-in-the-construction-industry/
Lalropuia, K., Goyal, S., García De Soto, B., Yao, D., & Sonkor, M. S. (2025). Mitigating malicious insider threats to common data environments in the architecture, engineering, and construction industry: an incomplete information game approach. Journal of Cybersecurity and Privacy, 5(1), Article 5. https://doi.org/10.3390/jcp5010005
Mantha, B. R. K., & García de Soto, B. (2019). Cyber security challenges and vulnerability assessment in the construction industry. In Proceedings of the Creative Construction Conference 2019 (pp. 29–37), Budapest, Hungary. https://doi.org/10.3311/CCC2019-005
Mantha, B. R. K., & García de Soto, B. (2021). Assessment of the cybersecurity vulnerability of construction networks. Engineering, Construction and Architectural Management, 28(10), 3078–3105. https://doi.org/10.1108/ECAM-06-2020-0400
Mantha, B., García de Soto, B., & Karri, R. (2021). Cyber security threat modeling in the aec industry: an example for the commissioning of the built environment. Sustainable Cities and Society, 66, Article 102682. https://doi.org/10.1016/j.scs.2020.102682
Meyer, T., & Reniers, G. (2022). Engineering risk management. De Gruyter. https://doi.org/10.1515/9783110665338
Mousavi, S. M., & Gitinavard, H. (2019). An extended multi-attribute group decision approach for selection of outsourcing services activities for information technology under risks. International Journal of Applied Decision Sciences, 12(3), Article 227. https://doi.org/10.1504/IJADS.2019.100437
National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0. https://doi.org/10.6028/NIST.CSWP.29.pol
Nyamuchiwa, K., Lei, Z., & Aranas, C. (2022). Cybersecurity vulnerabilities in off-site construction. Applied Sciences, 12(10), Article 5037. https://doi.org/10.3390/app12105037
Pan, Z., Hariri, S., & Pacheco, J. (2019). Context aware intrusion detection for building automation systems. Computers & Security, 85, 181–201. https://doi.org/10.1016/j.cose.2019.04.011
Pargoo, N. S., & Ilbeigi, M. (2023). A scoping review for cybersecurity in the construction industry. Journal of Management in Engineering, 39(2), Article 03122003. https://doi.org/10.1061/JMENEA.MEENG-5034
Parn, E. A., & Edwards, D. (2019). Cyber threats confronting the digital built environment: Common data environment vulnerabilities and block chain deterrence. Engineering, Construction and Architectural Management, 26(2), 245–266. https://doi.org/10.1108/ECAM-03-2018-0101
Price, D. (2020). Bam construct and Interserve hit by cyber attacks. Construction News. https://www.constructionnews.co.uk/contractors/bam-construct/bam-construct-hit-by-cyber-attack-13-05-2020/
Renuka, S. M., Umarani, C., & Kamal, S. (2014). A review on critical risk factors in the life cycle of construction projects. Journal of Civil Engineering Research, 4(2A), 31–36.
Rosenberg, K., Reindorf, J., Merali, Z., & Mohsen, E. (2024, April 3). Cybercrime risk in the Middle East construction industry. Freshfields. https://riskandcompliance.freshfields.com/post/102j4a8/cybercrime-risk-in-the-middle-east-construction-industry?utm_source=chatgpt.com
Rudolf, C. A., & Spinler, S. (2018). Key risks in the supply chain of large-scale engineering and construction projects. Supply Chain Management, 23(4), 336–350. https://doi.org/10.1108/SCM-09-2017-0292
Sawyer, T., & Rubenstone, J. (2019). Construction cybercrime is on the rise. Engineering News-Record (ENR). https://www.enr.com/articles/46832-construction-cybercrime-is-on-the-rise
Sharaf, M. M. M., & Abdelwahab, H. T. (2015). Analysis of risk factors for highway construction projects in Egypt. Journal of Civil Engineering and Architecture, 9(5), 526–533. https://doi.org/10.17265/1934-7359/2015.05.004
Sharma, S., & Goyal, P. K. (2022). Fuzzy assessment of the risk factors causing cost overrun in the construction industry. Evolutionary Intelligence, 15(4), 2269–2281. https://doi.org/10.1007/s12065-019-00214-9
Sheikh, A., Kamuni, V., Patil, A., Wagh, S., & Singh, N. (2019). Cyber attack and fault identification of HVAC system in building management systems. In 2019 9th International Conference on Power and Energy Systems (ICPES), Perth, WA, Australia. IEEE. https://doi.org/10.1109/ICPES47639.2019.9105438
Shemov, G., García de Soto, B., & Alkhzaimi, H. (2020). Blockchain applied to the construction supply chain: A case study with threat model. Frontiers of Engineering Management, 7(4), 564–577. https://doi.org/10.1007/s42524-020-0129-x
Shibly, M. U. R. M., & García de Soto, B. (2020, October 14). Threat modeling in construction: an example of a 3D concrete printing system. In Proceedings of the 37th International Symposium on Automation and Robotics in Construction (ISARC 2020) (pp. 625–632), Kitakyushu, Japan. https://doi.org/10.22260/ISARC2020/0087
Sonkor, M. S., & García de Soto, B. (2021). Operational technology on construction sites: a review from the cybersecurity perspective. Journal of Construction Engineering and Management, 147(12), Article 04021172. https://doi.org/10.1061/(ASCE)CO.1943-7862.0002193
Sonkor, M. S., & García De Soto, B. (2024). Using ChatGPT in construction projects: Unveiling its cybersecurity risks through a bibliometric analysis. International Journal of Construction Management, 25(7), 741–749. https://doi.org/10.1080/15623599.2024.2355782
Steel, L. (2022, November 24). Data protection: Security breach results in £4.4m fine for Interserve. Wright Hassall.
The Stack. (2022, July 20). Plasterboard giant Knauf Group pummelled by ransomware. https://www.thestack.technology/knauf-group-ransomware-attack-plasterboard-shortage/
Turton, W., & Mehrotra, K. (2021). Hackers breached colonial pipeline using compromised password. Bloomberg. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
Wuni, I. Y., Shen, G. Q. P., & Mahmud, A. T. (2022). Critical risk factors in the application of modular integrated construction: A systematic review. International Journal of Construction Management, 22(2), 133–147. https://doi.org/10.1080/15623599.2019.1613212
Yao, D., & García de Soto, B. (2023, July). A corpus database for cybersecurity topic modeling in the construction industry. In Proceedings of the 40th International Symposium on Automation and Robotics in Construction (ISARC 2023) (pp. 537–544), Chennai, India. https://doi.org/10.22260/ISARC2023/0072
Yao, D., & García De Soto, B. (2024a). Assessing cyber risks in construction projects: A machine learning-centric approach. Developments in the Built Environment, 20, Article 100570. https://doi.org/10.1016/j.dibe.2024.100570
Yao, D., & García De Soto, B. (2024b). Cyber risk assessment framework for the construction industry using machine learning techniques. Buildings, 14(6), Article 1561. https://doi.org/10.3390/buildings14061561
Yao, D., & García De Soto, B. (2024c). Enhancing cyber risk identification in the construction industry using language models. Automation in Construction, 165, Article 105565. https://doi.org/10.1016/j.autcon.2024.105565
Zou, P. X. W., & Zhang, G. (2009). Managing risks in construction projects: Life cycle and stakeholder perspectives. International Journal of Construction Management, 9(1), 61–77. https://doi.org/10.1080/15623599.2009.10773122
Zou, P. X. W., Zhang, G., & Wang, J. (2007). Understanding the key risks in construction projects in China. International Journal of Project Management, 25(6), 601–614. https://doi.org/10.1016/j.ijproman.2007.03.001
View article in other formats
CrossMark check
Published
Issue
Section
Copyright
Copyright (c) 2025 The Author(s). Published by Vilnius Gediminas Technical University.
License
This work is licensed under a Creative Commons Attribution 4.0 International License.